Exceptions to display to the user or only to developers?

Question

Exceptions to display to the user or only to developers?

I recently read an article on http://phpmaster.com/exceptional-exceptions/ , and he said about exceptions:

your calling code should never ever read the message. The only thing the post is useful for developers.

On the W3Schools website, they show an example where they display an exception message when it is caught, so I'm confused. I learned a lot from http://www.phpmaster.com and trust what they say, but W3Schools is always reliable too, so is that the right thing?

Is the exception message supposed to be displayed to the user, or is this something for developers? Maybe this is not even so important, and it can be used in both directions without any harm?

+3

php exception

ibanore Feb 23 '13 at 16:34

source share

5 answers

There is no clear answer. It depends on the information the message gives.
If your messages do not contain confidential information, you can print them to the client.

I like to use the $code parameter to print the error to the client.
Something like that:

 function clientError(Exception $e) { $error = 'Unknown error!'; switch ($e->getCode()) { case 404: $error = 'Not found error!'; break; case 403: $error = 'You cannot access this page!'; break; ... ... } return "$error [error code: {$e->getCode()}]"; }

Save the error message in the error log and print the clientError to the client:

 try { if (!$user->isMember()) { throw new Exception("Guest {$user->id} tried to access to newPost.php page", 403); } } catch (Exception $e) { $errorLog->newError($e); echo clientError($e); }

In this example, add a line to the error log with the message:
"Guest 123 was trying to access the newPost.php page"
and print:
"You cannot access this page!"

+1

Idan yadgar Feb 23 '13 at 16:52

source share

Almost correct. You, of course, do not want to represent a hacker type, say, a Stackframe. Presenting them to the user is also not so useful. Having said this, following this advice, as he imagined, falls into the trap.

Sometimes the exception class you get is too general, and the only way to identify it is to check the text. OLE was a classic for this. Run the sql expression in which you received the OLEDB exception no matter what. Another related one is when you just try to catch the end and assume that the only exception to be thrown is the one you thought might be, and then you get the message that I hear when I get the message " There is a problem saving your document, "which may be one of a whole host of problems.

No matter what else you do to register the unhandled exception and the stack frame if you receive it. This is obvious, but too many fall into this trap.

Do not go down the problem to the point of the message that you represent, this is a completely useless route.

Even exceptions for developers went down the route in which 0000000 to 0000000 access was violated, "Unknown ole (5) error" was brilliantly stupid or ever annoying msi "error 1603".

+1

Tony hopkinson Feb 23 '13 at 16:59

source share

Re W3Schools: http://w3fools.com/

Exceptions are for developers only. They may contain information that will help an attacker to hack your site, and they are not very good. Catch an exception if you expect it and do what users expect, for example. display an error message that they can understand. If you did not expect an exception to occur, you will have a problem that you need to fix.

Unused exceptions are also known as "errors";)

0

Matt gibson Feb 23 '13 at 16:41

source share

In most cases, exceptions do not help end users due to lack of programming experience, you should handle your own exceptions and put a clear message to end users

0

Seif sammain Feb 23 '13 at 16:42

source share

Basic · Accepted Answer · 2013-02-23T16:42:22+0000

It depends on the scenario, but the biggest issue is security. When a developer throws an exception, they usually try to include some useful information in the message about what exactly went wrong. They cannot know if this information will be considered sensitive by you in the current context.

As an example, let's say you have a website with a login form. If the Users table was not in the database, and someone tried to log in, the exception created could be something like Unable to find table users in database MyDb (db.mysite.com)

If this message is displayed to an attacker, they now know where your database is and what db / table names are.

In this scenario, I try to register a complete exception with a unique identifier and display the identifier for the user, so that later I can follow me later if necessary.

Conversely, if it is a desktop application, then I am inclined to another - exception messages can help the end user (for example, Access Denied is something that the user can decide). Even then you are not sure that the exception message will be useful (ala Reference not set to an instance of an object ), so I tend to any exception inside the more useful one (for example, Unable to connect to database ) and expose a list of all internal exceptions. This means that the user receives an understandable message, but can also receive more useful information, if available, rather than a security risk.

Exceptions to display to the user or only to developers?

More articles: